Service Organization Control (SOC) Reporting Options and Information
Overview Service Organization Control (SOC) reports are designed to help service organizations meet specific user needs: SOC 1 Report – Addresses internal controls over financial reporting Performed in accordance with Statement on Standards for Attestation Engagements (SSAE) 16, Reporting on Controls at a Service Organization Focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity’s financial statements SOC 2 and SOC 3 Reports - Address controls at the service organization that typically relate to understanding effectiveness of controls around operations and technology compliance SOC 2 Report - Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and/or Privacy SOC 3 Report - Trust Services Report – Opinion Letter Only “When users of a service organization’s services (user entities) outsource these tasks and functions, many of the risks of the service organization become risks of the user entities.” - AICPA, Service Organization Controls, November, 2010 2
SOC 1 Reports Focus is on internal control over financial reporting. Similar to SAS 70, there are two types of SOC 1 reports: Type 1: A report on management’s description of the service organization’s system and the suitability of the design of the controls to achieve the related control objectives included in the description as of a specified date Type 2: A report on management’s description of the service organization’s system and the suitability of the design and operating effectiveness of the controls to achieve the related control objectives included in the description throughout a specified period Use of subservice organizations - (use carve-out or inclusive methods) Is a restricted-use report – to user organizations and their auditors 3
SOC 2 & 3 Reporting Overview Addresses controls at the service organization that relate to operations and/or compliance and are based on Trust Services principles and criteria: Security Availability Processing integrity Confidentiality Privacy Report may cover one or more of the Trust Services Principles, as specified by management. 4
SOC 2 Reporting Similar to a SOC 1 report, there are two types of reports: Type 1: report on management’s description of a service organization’s system and the suitability of the design of controls. Type 2: report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls Many of the requirements for SOC 2 are the same as SOC 1: May be restricted in use Management’s assertion System description, risk assessment, etc A service organization may request that the service auditor’s report address additional subject matter that is not specifically covered by the Trust Service Principles (regulatory items such as HIPAA, GLBA, etc.) 5
SOC 3 Reporting Designed to meet the needs of users who want assurance on controls at a service organization but do not have the need for or the knowledge necessary to make effective use of a SOC 2 Report. Prepared using the AICPA/CICA Trust Services principles and criteria that include Security, Availability, Processing Integrity, Confidentiality, and Privacy. The key difference between a SOC 2 report and a SOC 3 report is that a SOC 2 report, which is generally a restricted-use report, contains a detailed description of the service auditor’s tests of controls – The SOC 3 only provides an opinion letter (the report), and potentially a SysTrust Seal (for unqualified opinions only). Because they are general use reports, SOC 3 reports can be freely distributed or posted on a website as a seal. 6
Trust Principles Security: The system is protected against unauthorized access (both physical and logical). Availability: The system is available for operation and use as committed or agreed. Processing Integrity: System processing is complete, accurate, timely, and authorized. Confidentiality: Information designated as confidential is protected as committed or agreed. Privacy: Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA. Reminder: A report (audit) may cover one or more of the Trust Services Principles, as specified by management. 7
Organization of Trust Principles Each of the Trust Services Principles is organized into four areas, and each with its own set of criteria: Policies. The entity has defined and documented its policies relevant to the particular principle. Communications. The entity has communicated its defined policies to authorized users. Procedures. The entity uses procedures to achieve its objectives in accordance with its defined policies. Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies. 8
Organization of Trust Principles There is much commonality between each of the Trust Principle Areas, such that examining one area, under one principle often covers the similar examination of the others. Starting in December 2014 the standards combine these redundant criteria. SECURITY AVAILABILITY PROCESSING INTEGRITY CONFIDENTIALITY Policies (3) Communications (5) Procedures (14) Monitoring (3) Policies (3) Communications (5) Procedures (17) Monitoring (3) Policies (3) Communications (5) Procedures (21) Monitoring (3) Policies (3) Communications (5) Procedures (21) Monitoring (3) 25 Criteria 28 Criteria 32 Criteria 32 Criteria 9
Generally Accepted Privacy Principles (GAPP) Generally Accepted Privacy Principles have a number of unique areas and criteria within each. Policies and Communications Notice Choice and Consent Collection Use, Retention and Disposal Privacy Policies (3) Procedures and Controls (11) Policies and Communications (2) Procedures and Controls (3) Policies and Communications (3) Procedures and Controls (4) Policies and Communications (3) Procedures and Controls (4) Policies and Communications (2) Procedures and Controls (3) Access Disclosure to Third Parties Security for Privacy Quality Monitoring and Enforcement Policies and Communications (2) Procedures and Controls (6) Policies and Communications (3) Procedures and Controls (4) Policies and Communications (2) Procedures and Controls (7) Policies and Communications (2) Procedures and Controls (2) Policies and Communications (2) Procedures and Controls (5) 10
Summary of New Standards & Options Summary of New Standards & Options SOC 1 SOC 2 SOC 3 Purpose: Reports on controls related to Financial Statement audits (ICFR) Purpose: Typically reports on controls related to compliance or operations Purpose: Reports on controls related to compliance or operations Trust Services Principles & Criteria* SSAE 16 – Service Auditor Guidance AT 101 Restricted Use Report (Type I or II report) Generally a Restricted Use Report General Use Report (with a public seal) Description of the service organization’s system. CPA’s opinion on fairness of presentation of the description, suitability of design and in a type 2 report, the operating effectiveness of controls. A type 2 report includes a description of the CPA firm’s tests of controls and results A type 2 report includes a description of the CPA firm’s tests of controls and results An unaudited system description used to delineate the boundaries of the system CPA’s opinion on whether the entity maintained effective controls over its systems. Does not contain a description of the CPA firm’s tests of controls and results (Opinion letter only) 11
Readiness Assessment Service Approach Readiness Assessment Service Approach Review relevant client agreements/contracts and determine which Trust Service Principles covered in the SOC Report(s). Perform a readiness assessment covering the design effectiveness of control activities supporting TSP criteria selected. Review Company’s policies and procedures documentation to identify internal controls and identify gaps. Meet with management to develop remediation plan and next steps Perform high-level testing to determine operating effectiveness of controls. Report areas that are not operating effectively and develop plan to remediate control deficiencies. (Optional) Perform SOC 2, Type 1 design testing and issue an opinion letter and report. 12
Formal SOC Reporting Service Approach Formal SOC Reporting Service Approach Testing Phase – Schedule fieldwork visits to company offices (3 to 5 days on-sight) Interim Testing - Perform the initial assessments, walkthroughs and effectiveness testing. Testing team meets with key control owners to gain an understanding of your control environment and request documentation used to assess the operating effectiveness of controls. Roll-forward Testing - Perform effectiveness testing just prior to end of reporting period. Testing team requests documentation used to assess the period end operating effectiveness of your controls. Reporting Phase - Engagement team assembles the report and completes final reviews to issue our opinion and formal report. 13